Set Up PKI Services Manager

Reflection PKI Services Manager is a service that provides certificate validation services. If your client users will authenticate using smart cards or other forms of X.509 certificates, you need to install and configure this service. It is available at no additional charge from the Reflection Gateway download page. Reflection Gateway requires version 1.3.2 or later.

If you installed PKI Services Manager on Windows, you can configure required settings using the PKI Services Manager Console. Or, on both Windows and UNIX, you can configure these settings by editing the PKI Services Manager configuration files (pki_config and pki_mapfile). For detailed configuration information, see the PKI Services Manager User Guide, which is available from http://support.attachmate.com/manuals/pki.html.

PKI Services Manager Configuration

  1. Download and install PKI Services Manager.

    PKI Services Manager can run on both Windows and UNIX systems. You can install it on the same system as Gateway Administrator or on another system in your network.

  2. Create a certificate store that contains the CA certificates that are required to validate your user certificates. On Windows, you can create a private certificate store or use the Windows certificate store. On UNIX, you need to create a private store (or use an existing store on your system).

  3. Specify one or more certificates to act as trust anchors; and specify where PKI Services Manager should search for intermediate certificates when building a path to your trust anchors.

    In the console, use the Trusted Chain pane. Or, in pki_config, use the TrustAnchor and CertSearchOrder keywords.

  4. Configure how PKI Services Manager should handle certificate revocation checking.

    In the console, use the Revocation pane. Or, in pki_config, use RevocationCheckOrder, and (depending on your configuration) OCSPResponders, OCSPCertificate, and CRLServers.

  5. Configure how certificates presented by users will map to allowed users. After PKI Services Manager has validated a user certificate, it will use the mapping you configure to return the user name that will be used to log on with this certificate.

    In the console, use the Identity Mapper pane. Or, add map rules manually to pki_mapfile.

    NOTE:For Reflection Gateway, your mapping configuration must return a single allowed user (including both domain and username) for each certificate. Some sample mapping configurations are shown below.

  6. Save all settings changes and restart the PKI Services Manager server.

Sample Mapping Rules for Transfer Client Authentication

When users log on to the Transfer Client or an alternate SFTP client using certificates, they present the certificate (for example using a CAC card) without entering a user name. The mapping system you devise must use the presented certificate to identify a domain and user (domainName\userName) who can log on to the client. The mapping rule must return exactly one user ID. If multiple user ID values are returned, the login will fail.

NOTE:From the console, you can test mapping rules using Utility > Test Certificate. On UNIX, you can use the pki-client command line utility.

The following examples use a single map rule to return the name of an allowed user based on the contents of the certificate that user presents:

{ %Subject.CN% }

The allowed user name is equal to the value of the Subject Common Name field.

{ acme\%UPN.User% }

The allowed user name is constructed by combining the domain acme\ with the value found in the userID portion of the UPN field.

It is also possible to configure multiple map rules. PKI Services Manager processes each rule in order until it finds a condition that matches the validated certificate. For example:

RuleType user
{ acme\dgreen } Subject.Email Equals donald.green@acme.com
{ acme\jblue} Subject.Email Equals joseph.blue@acme.com

Rules that return multiple names for the same certificate are not supported for user authentication. The following example returns two valid user names for the same certificate. In this case, a logon attempt using the certificate will always fail.

{ acme\root acme\dgreen } Subject.Email Equals donald.green@acme.com